Advanced Persistent Threats · Advanced Persistent Threats Evaluating Effective Responses...

Advanced Persistent ThreatsEvaluating Effective Responsesstrategies for organizations and their impactMichael ColsonSecurity Products

© 2013 NetIQ Corporation. All rights reserved.2

Persistence“Nothing in the world can take the place of Persistence. Talent will not; nothing is more common than unsuccessful men with talent. Genius will not; unrewarded genius is almost a proverb. Education will not; the world is full of educated derelicts. Persistence and determination alone are omnipotent.”

Calvin Coolidge


Introduction

• Today we will:–Examine why Advanced Persistent Threats (APTs) are a problem (really)

–Look at what has NOT worked–Examine what can work–Provide some practical next steps

What is an APT?


Advanced Means…

They have a plan…


P is for Persistent

Long haul…


Just choose a target…

All your base are belong to us…


What Are APTs?

• They are highly targeted attacks

• A long-term pattern of unauthorized computer system intrusions

• Advanced – not necessarily leading edge, – Sophisticated

– With structure

– They have a plan

• Persistent – the perpetrators are in no rush– Patient

• Threat – establish a beachhead or ex-filtrate information– Successfully infiltrating your defenses is their trophy

– Your data is their pay-off


Not Every Attack is an APT

• Don’t confuse them with random thieves– Smash and grab– Dude check out the new Metasploit

• Important to understand the difference between opportunistic attackers and APTs


Not Always State-Sponsored


The Mandiant Study

http://intelreport.mandiant.com/

“Our evidence indicates that APT1 has been stealing hundreds of terabytes of data from at least 141 organizations across a diverse set of industries beginning as early as 2006.”

“Once the group establishes access to a victim’s network, they continue to access it periodically over several months or years to steal large volumes of valuable intellectual ...”


Loss of Intellectual Property

The loss of industrial information and intellectual property through cyber espionage constitutes the "greatest transfer of wealth in history,"

General Keith Alexander, NSA Director


What Do They Look Like?


What Do They Look Like?

• Typical Attacks Utilize:• Email (phishing)• Community portals (“watering hole”)• Dropbox• Portable media (USB thumb drive)


Plausible Email Messages


Top Words Used in Spear Phishing Attacks

http://www.fireeye.com/resources/pdfs/fireeye-top-spear-phishing-words.pdf


Unusual Activity

• Why is Jo on the system at 3 AM? I know she’s a hard worker and all…

• Why is the CPU usage spiking on the order-entry server?

• Is the sales team really using an open Dropboxaccount? Don’t we have a policy against that?


Low-Hanging Fruit First…• Attackers are not going to use a 0-day if they don’t have to

• Vulnerabilities against Java 7 Update 21 and Java 6 Update 45

• Already in exploit kits


Low-Hanging Fruit First…

Top 5 Exploited Vulnerabilities95% of all vulnerability-related attacks

in the first half of 2013 involved 5 vulnerabilities,4 of them in Java, 2 of

them were from the year 2011.

Source: F-Secure Threat Report for the first half of 2013

Examples


6 months in duration, ending in December, 2009

First publicly disclosed in January, 2012

Google

Adobe Systems

Juniper Networks

Rackspace

Also targets, according to media reports

Yahoo

Symantec

Northrop Grumman

Morgan Stanley

Dow Chemical

Operation Aurora


Cyber Attacks Started in mid 2006

United Sates

Canada

South Korea

The UN

International Olympic Committee

12 US defense contractors

At least 72 organizations

Operation Shady RAT


Drone Contractor Breached

“Earlier this week, Bloomberg reported that QinetiQ, a high tech defense contractor specializing in secret satellites drones and software used by U.S. special forces, was the victim of a sustained cybersecurity breach for several years starting in 2007.”

http://thinkprogress.org/security/2013/05/03/1958871/contractors-outsource-cybersecurity-hacked/


Why Are They A Problem?

• Difficult (if not impossible to keep out)• Target saleable information• Very good at long term penetration• Traditional techniques do not keep them out


This isn’t working…


What Hasn’t Worked?

• Perimeter based defenses• Malware scanning• Anti-virus• Employee Training• IDS• In reality -


What Hasn’t Worked?

• Perimeter based defenses• Malware scanning• Anti-virus• Employee Training• IDS• In reality -

YOU WILL NOT KEEP THEM OUT


Better Approach

• Plan on being compromised• Get the basics right• Have a policy and a response plan• Look for activity and changes, not tools

– Build a baseline

– Harden systems (patch and best practice configurations)

– Manage your privileged users

– Monitor for activity that looks suspicious*


A Recipe…

Implement policies/plans

Enforce with

technology

Know what you’ve got

Know how it’s at risk

Refine and repeat

Know what you’ve got

Understand how it’s at risk

Implement reasonable policies & processes

Enforce with technology

Refine and repeat over time


Identify and Protect Critical Data

• Finding the data– Data may be in files, on physical media, in databases, or in

the cloud.

– Most breaches involve data that the victim did not know was there.

• Categorizing data– What data is sensitive and at risk?

• Monitoring access– Can I identify abnormal access?

– Who is really accessing the information?


Control and Monitor Privileged Access

• Monitor system and file integrity– Changes to key system files.

– Modification of rarely accessed data.

• Investigate unusual changes– Changes to key system files.

– Modification of rarely accessed data.

• Audit individual actions– Focus on privileged and “high risk”

users/accounts.


Capture and Monitor Log Data

• Security and network devices generate lots of data– OS, Network, Virtual, P&A, User Activity, DAM, IAM.

• Compliance mandates capture and review of logs• Logs can often provide early warning signs

– 82% of the time, evidence was visible in logs beforehand.

• Failure to monitor is costly– Breaches often go undiscovered and uncontained for weeks

or months.


What We See

Organizations are most successful when they:– Adopt a pragmatic approach– Prioritize monitoring around data – data centricity is key– Include identity and access monitoring– Tie as much together as possible to integrate information– Filter and enrich monitoring of activity


• Develop policy• Understand what critical data you need to protect and where it is stored

• Focus resources around protecting inside the perimeter

• Layer defenses inside to slow down attackers• Monitor for unusual activity• Reduce your privileged user attack surface• Create, agree, and OWN a response plan

Next Steps


NetIQ Can Help

• Provide expertise and experience in Identity, Access Management and Security Management

• Help reduce number of privileged users• Reduce and manage privileges• Monitor users and look for unusual activity• Provide visibility into access rights to critical resources• Harden systems against attackers

© 2010 NetIQ Corporation. All rights reserved.

Security & Compliance

Identity & Access

Performance & Availability

3737 © 2010 NetIQ Corporation. All rights reserved.

Our Areas of Focus and Expertise

• Manage and audit user entitlements• Track privileged user activity• Protect the integrity of key systems and files• Monitor access to sensitive information• Simplify compliance reporting • Monitor and manage

heterogeneous environments including custom applications

• IT Service validation and end-user performance monitoring

• Dynamic provisioning of large-scale monitoring with exceptions

• Functional and hierarchical incident escalation

• Deliver and manage differentiated service levels

• User Provisioning Lifecycle Management• Centralize Unix account management

through Active Directory• Reduce number of privileged users• Secure delegated administration• Windows and Exchange migration

Advanced Persistent Threats · Advanced Persistent Threats Evaluating Effective Responses...

Documents

Transcript of Advanced Persistent Threats · Advanced Persistent Threats Evaluating Effective Responses...